Commit Graph

35 Commits (c1d3c7cd7583addd6b40fef0c6a9019cd9053ae8)

Author SHA1 Message Date
Jordan Wright bb7de8df3e
Initial Implementation of a Password Policy (#1867)
This PR adds the initial work to implement a password policy as defined in #1538.

Specifically, this implements the following

* Rate limiting for the login handler
* Implementing the ability for system admins to require a user to reset their password
* Implementing a password policy that requires passwords to be a minimum of 8 characters
* Removes the default password (gophish) for admin users to instead have the password randomly generated when Gophish first starts up
* Adds a password strength meter when choosing a new password

Fixes #1538
2020-06-19 22:03:51 -05:00
Jordan Wright 84096b8724
Implement User Management API (#1473)
This implements the first pass for a user management API allowing users with the `ModifySystem` permission to create, modify, and delete users. In addition to this, any user is able to use the API to view or modify their own account information.
2019-05-31 13:58:18 -05:00
Jordan Wright a73ac4ab7c Fixed various minor linting issues 2018-12-15 21:38:51 -06:00
Jordan Wright 5d23263898
Moved logging to logrus package. Not perfect yet (still want to update the access logs), but should set the foundation to make better logging in the future. 2018-05-03 19:07:41 -05:00
Shuhei Kitagawa d7810ddd2b Fix to raise error when trying to register a duplicate username (#926)
This corrects a minor error from recent changes in which registering an existing username didn't throw an error.
2018-01-13 16:35:58 -06:00
Shuhei Kitagawa 405bc5effe Refactor GetUserByUsername method not to suppress an error (#920)
Also adding some other tests for the User models.
2018-01-11 18:37:38 -06:00
s vignesh bfb7fd11e8 Fixing XSS Vulnerabilities
This pull request fixed XSS vulnerabilities identified in the gophish admin panel.

**Important: These vulnerabilities could only be exploited if someone had access to the admin panel already, and could only exploit the vulnerability against the same account.**
2016-09-15 00:52:58 -04:00
Jordan Wright 103fd72cc8 Fixing context issues with Go 1.7. 2016-09-14 22:24:51 -05:00
Jordan Wright cb70e0b953 Making all cookies httponly - Fixes #333 2016-08-06 16:00:36 -05:00
Rob Cutmore a5a7b23479 Use more descriptive variable names in auth.go 2016-03-02 19:59:40 -05:00
Rob Cutmore e39ae8dfdd Confirm password on registration or change
Updated to confirm password when registering user or changing a
user's password.

Fixes #180
2016-03-02 08:33:27 -05:00
Jordan Wright 3d9e447992 Removing support for empty passwords - fixes #149 2016-02-13 16:37:12 -06:00
Jordan Wright 32aaa15da7 Added documentation for multiple endpoints. Fixes #54 2016-01-24 20:47:16 -06:00
Jordan Wright fc6d556742 Caused API key to be generated dynamically for admin user. Fixes #60 2016-01-12 20:46:17 -06:00
Jordan Wright 1081258c02 Fixing dependencies 2016-01-11 22:46:48 -06:00
Jordan Wright 737f41e5c6 Updated bcrypt dependency - fixes #63 2016-01-10 14:54:59 -06:00
unknown f21d40d77a Registration works again.
Additional cleanup, removing unused code
2015-02-07 17:30:22 -06:00
Jordan e137126a90 Working on gorm integration
TODO:
[ ] Finish up groups (many-to-many with group_targets)
[ ] Convert Template models
2014-03-25 23:53:51 -05:00
Jordan 584d7dbc23 Major refactoring - modularized models into separate files. Removed db package (moved to models)
I will be looking to migrate to gorm (instead of gorp) soon!
2014-03-24 22:31:33 -05:00
Jordan a3882cbf02 A couple more auth.go cleanups 2014-03-18 14:35:02 -05:00
Jordan 38db9480a2 Cleaned up comments for auth.go 2014-03-18 14:28:47 -05:00
Jordan eb8491c144 Implemented ChangePassword() (now password can be changed from /settings)
A couple of UI fixes in tables
2014-02-10 13:02:44 -06:00
Jordan 40cd2ae837 Cleaned up some errors
Implemented using db.* helpers (ie GetUser)
Implemented ChangePassword (not reachable from UI currently)
Fixed angular issue in settings.html template
2014-02-06 10:49:53 -06:00
Jordan 50292da53f Implemented Registration
Created auth.GenerateSecureKey to handle generating API Keys
2014-02-04 18:39:01 -06:00
Jordan e312e90570 Added ability to reset API token
Cleaned up session flash handling
2014-02-02 14:47:06 -06:00
Jordan 87fbd41184 Changing int to int64
Starting to implement angularjs
Implemented /api/campaigns/:id GET
Changed template delims to {{% and %}}
2014-01-31 20:49:22 -06:00
Jordan c59415a133 Adding some models - Incorporated use of `gorp` package to allow ORM'ish functionality 2014-01-30 15:08:14 -06:00
Jordan 6944854005 Added support for --setup flag to reset database 2014-01-12 22:39:40 -06:00
Jordan 4ad8c3c468 Implemented GetUserByAPIKey and changed GetUser to GetUserById 2014-01-12 20:00:52 -06:00
Jordan cdb4181406 Renamed CheckLogin to Login
Changed encryption cookie to be 32 bytes (64 bytes not supported)
2014-01-11 00:10:52 -06:00
Jordan 2a62f62bc6 Cleaned API even more (everything is via HandlerFunc)
Sessions are now encrypted as well as signed.
2014-01-10 22:37:42 -06:00
Jordan 61ef18b3b4 Implemented auth.GetUser(id)
Impemented RequireLogin() middleware
Login is now working, just need to clean up the architecture a bit
2014-01-09 22:21:12 -06:00
Jordan bb627396ee Implemented Flashes (Model and functionality)
Working on login functionality
Changed the way templates are loaded and rendered
2014-01-09 21:21:54 -06:00
Jordan 7eb90b27ad Moved DB to root folder
Created db package to handle DB connection/queries
Removed Setup.go (now handled in db package)
Setup context in middleware
2014-01-09 17:18:49 -06:00
Jordan 7f084760f9 Major refactoring - created auth, config, models, controllers, and middleware packages. Should help provide modularity and a clean architecture.
Added doc.go for each package
2014-01-09 00:42:05 -06:00